Attending Splunk .conf21? Join us for our session, Tips from the Trenches: Practical Search and Response to Stop Ransomware with Splunk. Learn More ➞
Hafnium Zero-day Exploit: Threat Advisory Report

Hafnium Zero-day Exploit: Threat Advisory Report

What is Zero-day Exploit?

The term  “zero day exploit” is defined as an unknown cyber attack that exposes a window of vulnerability, typically on the same day a weakness is discovered in a computer software.  A zero day exploit can be difficult to detect and called “zero day” due to the number of days until a software vendor discovers the attack. Exploits often go unnoticed and are sold on the black market. Continue reading for a recent discovery on these exploits and what you can do for protection against zero-day.


Hafnium Zero-day Exploit

On March 2, 2021, Microsoft Security Response Center released updates related to vulnerabilities affecting on-premises deployments of Microsoft Exchange Server 2013/2016/2019. Microsoft also revealed details around active exploitation of these vulnerabilities using zero-day exploits. The exploited vulnerabilities span several classifications, including server-side request forgery (SSRF), deserialization, and a set of arbitrary file write vulnerabilities; all effecting on-premises Exchange deployments. Each of these security vulnerabilities had an assigned CVSS base score of 7.8 or higher, placing their severity ratings within the High and Critical range.


In the exposure of the active exploitation of these vulnerabilities, Microsoft provided attribution details for the activity in real-time. Per their research, the activity is associated with a state-sponsored group they have named “HAFNIUM”. This threat group has reportedly been actively targeting various industries within the United States, ranging from law firms to defense contractors. This threat group has historically been associated with exploitation of vulnerabilities in publicly accessible services, and specific targeting of Microsoft Windows – Office 365 environments. HAFNIUM also uses readily available open-source tools for their attacks, including Covenant, Nishang, PowerCat, and other common offensive security tools.


ReliaQuest Threat Advisory Report

The ReliaQuest Threat Management Team is actively collecting, categorizing, and vetting Indicators of Compromise (IoCs) related to this campaign. Known IoCs are being continuously ingested into the GreyMatter Intel platform for use in investigations by the ReliaQuest SOC and ReliaQuest GreyMatter customers. We have proactively engaged with our customers so they understand the risk that this campaign poses, as well as building of automated retroactive hunts for known indicators of compromise for those affected.  The RQ Threat Advisory Report: HAFNIUM/Exchange Zero-Days outlines the learnings of the vulnerability and its exploitation in more detail including IoCs (indicators of compromise) and GreyMatter detection capabilities mapped to MITRE ATT&CK and the Kill Chain.

More Articles

3 Signs It’s Time to Rethink Your Security Operations Strategy

Today, the security industry is over-saturated with technologies and tools. While many enterprises have established or are setting a foundation for their security operations with Security Information and Event Management (SIEM) and Endpoint Detection and Response (EDR), there are countless point solutions arising to extend them, from SOAR to CASB, UEBA and more. Although each […]

Best Practices for Increasing Visibility Across Cloud and SaaS Applications

As enterprises are accelerating the adoption of digital transformation, the attack surface is rapidly expanding into cloud and multi-cloud environments.  In order to effectively detect and respond to threats, visibility that spans across on-premises and cloud infrastructure is a must.  How can you gain visibility into cloud and SaaS applications? 1. Explore new solutions to […]